NEAS[.]bad4455fe23772d5850cb704053ac270_JC[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NEAS.bad4455fe23772d5850cb704053ac270_JC.exe
Size

2.6MB
MD5

bad4455fe23772d5850cb704053ac270
SHA1

62eb084e9dd3af1b11cf000bbf99b21ab0be24e1
SHA256

ce3311fdf393557906ceeb8c69e33c5a8ef6a11c691a81ffb4ec2a19c470ca19
SHA512

cc5b841ff94a4ef1123d1128f59dd2a424f8f1d8d38d51087a41a3725fb72ee32b4fafc131503a7d416b92ad6c5b11add5f5eaa06b7015f1085582b8a4b8a8c9
SSDEEP

49152:VRkKEdzeFi8M7bQUNWHJxJid8UYO2EGbD4/iiAzL+iF7KlKwcddvZrv:q8MbQUXGbD6wd3

Score

1^/10

Malware Config

Signatures

Files

NEAS.bad4455fe23772d5850cb704053ac270_JC.exe
.dll windows:6 windows x64

e750b0d4f88462c11ca748152022eff8

Code Sign

33:00:00:00:74:f0:1e:99:d0:2a:28:6a:ca:00:00:00:00:00:74
Certificate

Issuer

CN=Microsoft Windows Phone Production PCA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 21:15

Not After

28/01/2017, 21:15

Subject

CN=Windows Phone,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0b:fc:f9:8e:58:4c:15:50:bf:00:00:00:00:00:0b
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24/07/2012, 22:23

Not After

24/07/2027, 22:33

Subject

CN=Microsoft Windows Phone Production PCA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

83:eb:8c:da:fd:e4:ab:90:98:aa:b7:d7:da:e1:fd:61:f9:69:91:6e:84:8c:32:5e:bb:98:72:7e:8c:37:1e:fe
Signer

Actual PE Digest

83:eb:8c:da:fd:e4:ab:90:98:aa:b7:d7:da:e1:fd:61:f9:69:91:6e:84:8c:32:5e:bb:98:72:7e:8c:37:1e:fe

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

vcruntime140

__CxxFrameHandler3
memcpy
memcmp
memchr
strstr
wcschr
strchr
__unDName
wcsrchr
_purecall
memmove
_CxxThrowException
__std_exception_destroy
__std_exception_copy
memset
__std_type_info_destroy_list
__C_specific_handler
__telemetry_main_return_trigger
__telemetry_main_invoke_trigger
wcsstr
__std_terminate

api-ms-win-crt-string-l1-1-0

iswspace
strncpy
wcspbrk
wcsnlen
_wcsnicmp
_memicmp
wmemcpy_s
strncmp
iswalpha
strnlen
wcsncpy_s
wcsncat_s
wcscpy_s
iswdigit
towlower
wcscat_s
wcsncmp
strcmp
_strnicmp
wcscmp

api-ms-win-crt-runtime-l1-1-0

_errno
terminate
_cexit
_crt_atexit
_invalid_parameter_noinfo
_execute_onexit_table
_initterm_e
_seh_filter_dll
_initterm
_configure_narrow_argv
_initialize_onexit_table
_initialize_narrow_environment
_invalid_parameter_noinfo_noreturn
_register_onexit_function

api-ms-win-crt-heap-l1-1-0

_recalloc
calloc
free
realloc
_callnewh
malloc

api-ms-win-core-libraryloader-l1-1-1

SizeofResource
GetModuleHandleW
LockResource
LoadStringW
GetProcAddress
GetModuleFileNameW
LoadResource
DisableThreadLibraryCalls
GetModuleHandleExW
FindResourceExW
FreeLibraryAndExitThread
GetModuleHandleA
FreeLibrary
LoadLibraryExW

api-ms-win-core-heap-l1-1-0

HeapReAlloc
HeapFree
HeapDestroy
HeapAlloc
HeapSize
GetProcessHeap

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW

api-ms-win-core-synch-l1-1-0

CreateWaitableTimerExW
InitializeCriticalSectionEx
OpenEventW
WaitForMultipleObjectsEx
CreateEventA
SetEvent
SetWaitableTimer
DeleteCriticalSection
TryEnterCriticalSection
CreateEventW
InitializeCriticalSection
WaitForSingleObject
WaitForSingleObjectEx
EnterCriticalSection
ResetEvent
LeaveCriticalSection

api-ms-win-core-file-l1-1-0

GetFileTime
GetFileSizeEx
UnlockFile
SetFileInformationByHandle
SetFilePointer
SetFileTime
LockFileEx
GetFinalPathNameByHandleW
CreateDirectoryW
WriteFile
DeleteFileW
CreateFileW
QueryDosDeviceW
GetFileAttributesW
GetFullPathNameW
DeleteVolumeMountPointW
ReadFile
RemoveDirectoryW
FindClose
FindFirstFileExW
FindNextFileW
GetLogicalDrives

api-ms-win-core-errorhandling-l1-1-0

SetErrorMode
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError
RaiseException

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock
GlobalFree
LocalFree
GlobalAlloc

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-processthreads-l1-1-0

GetProcessIdOfThread
OpenThread
CreateThread
GetExitCodeThread
ResumeThread
ProcessIdToSessionId
GetExitCodeProcess
GetCurrentProcessId
GetThreadPriority
GetCurrentThreadId
CreateProcessW
SuspendThread
GetCurrentThread
OpenProcessToken
OpenThreadToken
TerminateProcess
GetCurrentProcess
GetProcessTimes

api-ms-win-core-sysinfo-l1-1-0

GetVersionExA
GetVersionExW
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetSystemInfo
GetTickCount
GetVersion
GetComputerNameExW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-processthreads-l1-1-1

GetThreadContext
OpenProcess
GetProcessHandleCount
FlushInstructionCache
SetThreadContext
IsProcessorFeaturePresent

vsdebugeng

Proc7E7DA05F4F334A3C130300B9DE219574
Proc0C211680A7F9624327EDD6ED30FD1C19
Proc2717980A0CDDDFF0805419095281221C
Proc439EB6AA207DB70F8ED3430FFCAB70A6
ProcB273E7878D41FB92871270ABB27F11FC
Proc7D50E6B1317E32B07752C1F6216C4ED7
Proc199972430544F641DFC1A35754AF1EC0
ProcD9DC7CF02117F80BE2495AB906AC64B0
ProcF505EE31F3B51D5736BBC626A76BFA18
Proc9828B496783EE3A4837AA6A8CB8EA07F
Proc19F3BC72A701F59F6D869826B65D2C66
Proc7F3F889DF5BFA8C78C8D53CD3D56516D
ProcBDD5283BDC1037CAEB03E474486393D9
Proc8C672BDBCF020F7AE79341774958AEB9
Proc97F5838B80CF47DFBB5C7A66C074A06E
Proc55EC41804080E2B7E746C99FC7ECB934
ProcCFC90B74E86F409E42174D75C612ECC1
ProcE57162D15B9C4A9B50CAF4AF489C894F
Proc63D01FE35215A6F186CDAAF3981ECB78
Proc59332EB271778BB3304504B24A36496A
ProcB74FE600C741C9E0EA9A5EB02EC32244
Proc401CC9B272AC84D4FD02EB44812606BA
Proc7F719CBB10CD5D871FFE04E029F3DB2E
Proc4C34599EEC6D0C6D02539A6CE0D3F759
ProcF61679F72873B9BAE44FF902F92DDDCC
Proc42D2B23BCA47F96E95181509DEC12952
Proc651C8C57EB784CC5D51DA3D9F911EC27
Proc5F637D126578416C0D844318F488E927
ProcF41F3F1AB2ABAEF7FFBC76C3B591E7F9
ProcF5C9FC936A5A04CE6DF00B7345A7E8CA
Proc274F93BAEC7EDA11FB3D8D31398F3E66
Proc67294CD5516F29DD623A0335B01E2B2D
ProcF7DC8A9B604DB7991F313B300879DB14
ProcF28A7C520914A2C602F64AC12940AEDD
ProcDkmString0
ProcDkmString3
ProcDkmGlobalSettings0
Get645AD40C25493913B4F735C441506A16
Proc86E901A98609A3892236B80CC83BC545
Proc2063EA8A5827C04D2BF6A7BA85E27556
Proc23E28172B8ED4C1CF1065854ACDA6236
Proc279D105745DA281D3F61B6DCF5411056
ProcDkmDataContainerSet
Proc094F295F322424992BB5E795A7035884
Proc25C283D1FA9B4F1F3979BA9CA8917013
Proc55C239704FB9EE8A91BCDFF2A41E9307
Proc425C8315F654ADA55907101C9C65A89A
Proc02B8A45DC663391C88C64FF8F16423AE
Proc2DCEF64A20FA074BCCA5B25B25800DEC
ProcDkmAlloc
ProcDkmFree
ProcDkmDataContainerGet
ProcDkmReleaseInterface
Proc43F8B1A71560988CDA93783A20518F4C
Proc5291958220F6BA230E62F74538F8E025
Proc007981F40FEA39E044F4D8CF4A9AC416
Proc9E3ED5522C1ACD43060FB6338D9ADDAD
Proc6A4CB9E6ACE0329D50B59CB473BB5DA6
Proc245EB5834F220A1C282AA6E2B457151C
ProcA2A87FA9B2EABE057C973454C4D0E0FE
Proc9FA203E127EE0B8B16CF94D1DBF8F7E5
ProcCFA56E1A30696A54C78DD3B62C48CB58
ProcDkmString4
ProcD60BA609E5572E71FE7454972F0CC2FE
Get250481482FAEDAA4BBEBC807B24DD715
ProcFDD9B7914B7C22033996520394B90F8A
ProcBA1057B67974B1DAE7A677E1B7156D48
ProcC3CB7743B5DBB83116E9365BACFA6AF3
ProcCAA57817DCAB36FA6857F059CC28E22C
Proc88303C178160F6B7A48F74A2AE8D50B5
ProcDkmString5
Proc712AEE7B1CBFE90A27AABC87EDA764C0
ProcCE0EAB9E1275E364CAA5CDF5BF2BF219
ProcCA87389EB16C25D55399B86CC7697716
ProcC7F5C260E52A1B26A2C10C0D8BF7787C
Proc8CB20AF3128815B290295CECB4F778C2
Proc94CE83C176C18E080657DE893B3FB7D1
Proc101685421B67B01CA3E0DB5E650B022E
ProcF4BC786AEBAC294EE9C4C0BB1B0F56A7
ProcD688232AC57081793FDDBBF3C263ABFA
Proc4E2ECDABAF53878BC2CB86BB0CA5DE92
ProcC0378E1124166D86890CA327620CB640
ProcDkmReadOnlyCollectionCreate
ProcDkmReadOnlyCollectionEmpty
ProcC58244BD2C547AB8EB3BF80233F4021A
Proc149EE765B2389BDD6C5B91E33BDBE963
ProcDkmVariant0
Proc22969485654512BB4766B642E35146B1
ProcE8EF7EF6768418441FE22C86348944FC
ProcDkmDataContainerRemove
ProcB7BFDF6A5DD40400B07E77E9E74DD0ED
ProcDA01083FD1F7BC6E21CF70FEBE852E08
ProcC551A87289B36A81E4E7DC67503FA13B
Proc720EFC94A30F2FDA0A06EC4DDEA4C417
Proc39CF936CBBD422C18149B4C96CF48257
Proc2A48A9D77297CAE270C2A2DBC52F163B
Proc9EB53CEDD4070927EF381FE18879D14F
ProcAA5382361712FF7C2DB61AF2F559F507
Proc8877C3D70304E8D4D8932D1B95A128BC
Proc41499D88B1F6924ECF29547583D8DD95
ProcA18DDACFF36E48D6F0D56719700A0A68
Proc830BF1EC32B2D50A6F454C73132E8D95
ProcE1E4C9C8AACD6229ECEA07922F384831
ProcD90E2CBB49C005FC3439C6A37E4DD05E
ProcA507F5EA1FFFB25DB6C264A1A3E9D9A0
Proc4102811B876B002C9EBF58B1231D3419
Proc7C607E439F8FC343B781AA531EE6CBEB
ProcB462A99D32FCE88A7D5A90C41736C64D
Proc6D04FF97A36E6FBE5A873E9E4D373191
Proc9EC9594DE9AD4721F7CA1A6661474411
Proc32C54A299942A4DF0FC187766A44B6D8
Proc46C70E124C967BA573D28ABE0C365815
Proc003CEB61065326C60432436C71B15AF3
Proc803C37AF1E9AECCD4C7CAE2B2785162A
Proc46A6B17E652C2B421E2B2F3B3E34CD21
ProcF0247C5D3632A8B6B5A018211C1D2410
Proc17820A171C58275B4CB2469D9614049B
Proc32245DDCC51A1CA87768FB26C135C6CF
ProcFF2EBEF240F6308F4BC2649DFFAED7C9
ProcAA61459CFDC30CEC49DA6E3BBD21802C
Proc6C79DBE9F40FE80E961282947D988039
Proc2344FF3BDFEDB69A0DC72C3155B8F61B
ProcC0CB9DB875E57138C93DFCE332C3D32C
Proc614B3EA5586AF72A6005519B6F6C9C50
ProcFD045CFE2611847953C966E4D4891465
Proc4C6C4F1118EF07A4E19E8D544DBDEEA0
Proc1EA107D7E0BFF457B5E6A661C838536A
Proc5A54344DA99A8E8110ED35DAA5DA2324
ProcDkmString2
Proc10463036625AB2B5AAA7F05509328531
ProcFB08A1C7BD77B71CAE548E8932D320E1
ProcDkmString1
Proc11942CA3E32D2CC5E71549580B4EEE2F
Proc20C5AC2C29FFB6772842DB423E85767C
Proc3CC4BB810E58E0616B44FC6441DB2E43
Proc08CD058CAA9E5478B87D9248545A2D2E
ProcEC7B013CEB23AA93633EDBA7FAB549B1
ProcED5672D2B090E000D7A7F7AD376C8B29
Proc7CBBB15E9B8502248D458346A2C09640
ProcDkmReadOnlyCollectionBadIndex
ProcC36364A347A1331856E21EB8986BAE70
Proc609FC4C1EFA5159E8A99CB48C4A049B6
ProcB93000BE4745096FE67A3B4F7FC0E930
Proc048095810FEB921258184BC243942C8C
Proc47057DDC632AD45CEC7B2F19D7C55FC5
Proc6C71BAFC0CA8B6BB34725A9DB87FBDAC
Proc78457549C84AD5A4D3E96DDC28B4A91D
Proc5A1A29171D03FC392A4795717141E0C3
ProcC1E64E1BAA30DE49027A7DBE4849ED6D
Proc13E806B9B3C4319EF36A2D0160C5F358
ProcF4FA5D54D06ED8FB9E7DEB680FC83C0D
ProcEC0AAA177C50B8CBA6F8BDF561155D7D
ProcAF31D72F6E65E289D17CCB5D3D2F418F
ProcA4A36CF75EB42A472782FD7825A58C9D
ProcA4A76835B9CD64AE968BA52BC84263FB
Proc444AC9BCFD60B3815B326D50A57FB1A3
Proc302B29EB2B5017008BE1DC136F1ED5EE
Proc876A5E63BBBE04526596CB8A99A5E9E0
Proc8E91C7F368DDB9C248E0EA2C17D165CC
Proc16CA6DBC76E2C8A566569B2E5A32737E
Proc8401C2C73D5357ECD8AA4E3714A68FA1
Proc63E53E7C4821AF09FA0624C5CADC370F
ProcDkmWorkListCancel
ProcDkmWorkListCreate
ProcB0836E7D3FCCD1861AFAC278588CCED8
ProcDkmWorkListExecute
Proc154EECF6D0808A631400840CD20CE9A7
Proc23A5971C1BF1E602DEE5AB4BEFB31342
Proc2C4711ACA8448D643F9553C50E310375
Proc8C8881FB7D3648D13E24DE5A80DD1F83
ProcAE64E2E60E05EDDB9DBF80F18CB6B1D1
Proc62D0A91244300EC2F3874A30E936DF26
ProcCB83857C81F60315EF70D865BF0E4B1A
Proc93E2EB641A58D187BC71A1FD19D779A4
Proc7729A748D025D8D1D27D5F70D2E2971C
Proc8EDE4866600ED1B4F51326202AD7B614
ProcB6924A74E6CDA01BDEFFD655172EAEE5
Proc58FA98A6DD9D52684EDFCF854B3AD73B
Proc494202493BBFB43009A6715156984C4D
ProcB1F5C35BB7205E5859519C63CAB11717
Proc07F31C87616869864CBF6033F37DAAB9
Proc35BF8659E4F78CFC4EDCF9F8C35DCF25
ProcA29A9B6A00CD4E346ACD54992947A817
Proc764B89CAFFE718355031F1555E23D68B
ProcBF51E4F2615C39213EB93E638D855420
ProcC0AB0BE9B5D47BDCB64470DFC9FA2B70
Proc2D82CAC96183DD7B6D1DF3394318FC27
ProcDC7ED1E90FA2A6178BEA83BB0A11B501
Proc1F204935389D2F99952CC27B3B392DC4
Proc0B7E2AD76C535C1C35C3948F1F2C45DF
ProcAC852ACB3B15D4C2B177E7AA9ED66C3F
Proc1E5B81BD4AF467AD6660DC94BD8BEDCC
Proc8B5D381DB7DEAB34963D4ED0B1F13B59
Proc46F4EBD73CFB584D76BA34433F61DB86
ProcC6E2961BDBDC1A9CA97272FF4B74A350
ProcA8484D0DF6D845608CC611EB2C6E61F9
ProcDkmPopComponentTransition
ProcDkmPushComponentTransition
ProcDkmUninitializeThread
ProcDkmInitializeThread
ProcDkmFindComponentHandle
Proc353AC2FCF8655B4292847535571BE6DA
ProcEE04EDDA44575ACCE2D895843CC5E455
Proc865805A776E7741A6D402D348F5B10C8
Proc35DBD0B3A9C4D65B34C9C9DC38DEEA7A
Proc92D5E0C5D4EAF1F319BEA651257EFED6
Proc0960E067C6E6CE7EBFEEDBBDFE1D27A8
ProcDkmWorkListQueryIsCurrentInstanceCanceled
Proc82FF1FA4E1EEAE6244230B42302688EF
Proc271368D023C6928C09CB19546C3F1AD1
ProcF525CDEB2CCDEEF6A83975AAF4A2818E
Proc00D734DD81ACDC01605A9CFD79A152DD
Proc4DD206531745B166ED6A848124817007
Proc30CD194706F2789B39BDA5888D5809D6
ProcA3074544DDDC4B69C83EE3A63BB51CC0
Proc2C5C54E587F4180B257B172F561B9D86
ProcE3287B6AD1874438A4638A94F83D8907
ProcEECEDA2F659A9B7F31A4E9CEBAF928D5
ProcE07A59DADEB847529B1EDACF190F9622
Proc312C43C3EBD40AA19100FC0BE9A909AB
ProcE4BE46E4F2212642D86BC4DCBC0F16DE
ProcDkmGlobalSettings1
Proc1045230454C0D39659EA1D5AD3413E7E
Proc6D698C640DFDABA88B6B6A8B78565B1C
ProcA035DEDBF7F91EB78B75DE7CDEB4644C
Proc7AB53941FD46A190C2C1AA3D528041D9
ProcD53F280F1F4958974C7D9C5765C56D3D
Proc660872E9B1A72FBC89EE136ED9490954
ProcCEC10D8029BB7FE6392177BA9943EDE1
Proc724F9A5CAEC412BD5A71787991347219
ProcDkmWorkListBeginExecution
ProcF0490F8C71F1B2038D9EFFE562E9CF9B
ProcDF334C7812DE5779F127659C7CD0F4FC
Proc0C053A2A86820E43F81FB08DAC8CE244
ProcB21AA3E884AF7F8C4F8D16E8F1985A39
Proc1DF54DB322921281DE98E82C2A0D2D12
ProcD5CA6002328EC4403BAE43C674FC3C77
ProcD87D1398C6DB7E1C5819A7AEF3065005
Proc3190D0E445D2FE7421CF79FA67C8F250
Proc8D47D19688BAF506460B4626D5B8D8EF
Proc8A6D7EC2A52F26AD397C691D3330A926
Proc39246E41B82608CB696343435CB621CC
Proc04C30C6994A0A82EB150AF86435B3156
Proc547EB931F10F0693AD8703D28E7D7E56
ProcE7A61A9F049FF2D74FDA1483C449EB9F
Proc2CDF0821065EEEAF4BF0768BBC714CF9
ProcAEA58B7861C86E08A55546A1C4D0ACAD
GetEE6D45A22822D04D9205C8DEAAD59330
Proc1DF3FBE6FE204B1CB87244F8FE368C24
Proc1BAFA69EABAF1980E4618AC80AEECB47
Proc7C740EFAED2FCAE33007EF4EB2BCA3CF
ProcFECA898F562A1BE8B44B5148E9227073
Proc8062E652D5F96A8E0C2A6911B6531328
ProcB903E44E274AEE5F81502120B9BD1748
Proc7A6C7A0227D6BD610F97D032767448A8
ProcAB099C958E2B4BDC4A6A8969DF728294
Proc687EB6BCECC901CC320D6678FDA635CC
Proc28873A94D65410FCC0056B9C83596DD0
Proc0293D2889DE6E0C14B909BC2A4CE0670
ProcE7E936BAFB8A03BADC8D5E852E215D5F
ProcD1DA8568A04474B5C880F261EDF65D23
Proc62AEDCA6411B5323C481C25484DCCF4C
Proc1FA1494806B172455F1A4B6BE214218C
ProcB9B9EE598794025081FE5A25D59297AD
Proc106265AC3459BC4D58F9E120E7890A5B
Proc5EC0E1ADE23A70FE021DAD12CAFFC595
Proc1F9658A9DD9C06D2D908C3ACB74E7E37
ProcD463863E27EBF9AED0D4A4E73EC97E94
ProcDkmIsApiVersionSupported
ProcA31BF86C4BAAC28B6F513340B5A73F45
ProcCB54C33EFFC65296BF4C0F6267CAF6B9
ProcCB71585F56FDF3F210F28B3A0397FDDA
Proc082B873EC32346B1AE1B7647612E71FD
ProcA34DFAA73EBF7F9AFDC8E6C494472623
ProcA0BA43B79BBE61B6ED073DE327837C99
Proc466368E9818C5AAA5A91F1B4871168C3
ProcF077EF6B9A532BB38F440A3E41457FEE
Proc0F86415E78B3D06F5C59926FF40D2E0A
Proc8A1248C3A4D0B316E04BDEB5C39F281A
Proc9712D292D3F561C85D575D1D1A169743
ProcB78DCC1D97D2784074F1B8AD23A79A8D
ProcC4606A8DA0BC602AF74AB3F9240E24F8
Proc94A9989CD07F6E368BE9234F2C761007
Proc37D0CD0D0909DE69E045690F177B6ED0
Proc8A5F09971F6A17F44FEF05D97B445AFD
Proc4B179835811F44DCE0F243F176717948
ProcC6565F2B8739BF2909221336A3BBE9C6
ProcE3FC472EC679C1DE3AB9FFAD538956CA
ProcE5290FEE5BE393C4CBEFDBC334154102
Proc25DDD68F4FB28923D10996B972BDEC74
ProcD6F5490DFB1533AA47E6BFB583FACB52
Proc12B8AEBDE8DC06ECC146022EFDF43BA0
ProcA5DB4FF28172AC8EE337B4F616F0D8FC
Proc264596E3D714E689ED29EB416C0EDB59
Proc535260FC7FAE6E6D8632B4D1639CFB53
Proc4013D302AF1F5E1D81F7B9F13E7BE15C
ProcA53162B525391FF931A42627F7AAD6A9
Proc8DE481C3F9EEB3173D2DF9D68D38D3BE
Proc424C754CDDD2CF45A942C20EED3CC893
ProcA1906536FCD2F44CD6AADD9DF63D8C47
ProcBE32FA660EB2DC5515B50746ABC4BD16
Proc74C5490FBA85CA138364F8B0304B5527
Proc73F92C73F402A0645B5F0E13E132A009
Proc72D8789037B29D9BE4656FCAB8B158C1
Proc21018EEF594F640991F4C8723510500B
Proc47D4E3D46CE7EA40D78544A4E2F2CCCB
Proc14365162F719EE309833526528F9F58D
ProcDA2C88FCD29A13D41642E51A73A0C5F3
Proc0CD674D84CB44BC00252F10D501563F9
ProcFC48FDC6FDEA04D6E5196CF1CBEEE2E4
Proc7C33005073B197E468D344B6CC30046F
Proc0F93893A27AD0F7C9A3E108C73ABCEF6
Proc49AD48ADCB8A261A843D2BA12C9F32C5
ProcFC3AC8AFD3E48032893695E2B35FD4A7
Proc55C9EB068F3F789821C74F5AA300C95A
Proc0AB3766D13B1A2E65AADEEF04F334E90
ProcF386FCA16584C1EAE2CEB33B55A36BA3
ProcE26FC60E9788891FD620E40D02F8214A
Proc75944E1AEDA5BD6E213831B42B08C09F
ProcA02F1303E8DBAEECF20626244D70D1FE
Proc0820CA92D0247DC5DF701F1C1ECEA7DF
Proc1B02BC6A77ED80B4C26F62A6EA215225
Proc0CDF6394547B1FFF45B26226166278EC
ProcB5A40924A64B8EAE759C31A3FB662C83
Proc7C3AE61C7EF3F5EE4DB84C590CFA3A55
Proc433E97E57EED993B1935CE0F8FCDFBC9
ProcD5DF80B568909F3E4178EEBD8D7A7EC6
Proc1CFBC051AB6DCE44A8D9DEC86C61AEAC
ProcD6035EBBD17B0D0141A839FB20A8A90F
ProcACB567FCFFFF620887A60A7FEDA08D1F
Proc698471DF4195CB1B70826EC3715C2DF8
Proc2BDC566C9437414EFB44DCA2FB0655BF
Proc96B2A0869281F2E9E1E8FB63DDDC012B
Proc83735219E8CC0CD40DBBF6F68C286948
Proc32F748045CAE5D710346099F66C76CBF
Proc1770D48A2E0076C5FD8CC68B89308134
ProcB8D112804ACF0EF98486C2DBE47F5860
ProcBBC3412E622A85C7A9C9A2B97362ACC4
Proc6B1CD2F016C6DF558BBBB8943EC462EA
Proc6C71106977747BA6FC983976EA66EDA2
Proc7D079F46E123AE813AB5174ED0D6B32F
ProcC5BFE310EA00C1AADA0609FD85CA1850
Proc128B9579786732D548FB332A0B330884
ProcCE2CA685D8412F7CDB1945E19E677AEA
ProcA8DA7BD7B83089DE1427BED550F265FD
Proc533B990E9F9B15A54DDC4E3E1D2E1078
ProcD9B624784E6703118CC321E078CF311C
ProcFABD4E8C140CD65DE4CD864B13DC532A
Proc6A78429E482A38FE4E0A0B929B65F919
Proc082C271A47113D797444C427094AAEDF
Proc2C8F3653A7BDEAB26FDAC5E12529D820
ProcE3F3FDC5E6B8677925C4831A2ED75A77
Proc6CE4E58CC03DB77D9C770472F95BCF46
Proc5CB5811D1BACC93EA38F7C6EB5841848
Proc1E8D5F0C922FF9B67FDDD80B2ED6503B
Proc5D753B006A653774876F8FE202132B7E
Proc37D73B0F874CC8F77777D40219EDB14A
ProcDDF5C25D3ECC4986F060A098E70A37F3
ProcA2F8C324E55FE9F51080FF9117FD8A9C
ProcFD4EE301C59FC0351D8CF4431CBC623B
ProcDkmVariant1
Proc33E7E6971423BF9A85008A3E9CFD7DC9
Proc387497D446792B6386776489669D2D7B
Proc98608ADF06A793AC0CBC13F3D18B0D2F
ProcF5AF3CCABE57E88CB0B16B900C3902FB
Proc3A0694C0796EC9D98A149DD4060D9907
Proc3F7A5E99E9EE6BB5EA4D1F588DA837D7
ProcCFC27B46EBDEFADA1E91D0A90B77634C
Proc8538455986C021ACA81FB03C2A62E0A6
Proc16C7D428BB76D469DE0C081CC2EB0A62
ProcC2A7595A78323D9ED538F97DF8858518
ProcA37C43580AE0BE2CB6442C2B38D91C85
Proc9EB16C97D0F941B559CA036DF7F4341E
Proc3E44E2254CE4725B5E4A486A9B526329
Proc44DBDEA6AB474E8EB67B5F2348EDCC20
Proc7AC8F22DCEDC5109A8CFCCDB1698A28C
Proc0EF47FFE709FF999FCFB290B7B514C72
Proc65ED8BA763F4CA7C25D2ABC81256282F
Proc1E701FEAF4CA56487DDB8AD758EC4739
ProcA598DC6767B6B5E321EA1C7E6742268C
Proc62E124921D164B7AECA13D786603EC06
ProcE195EB82A3658BBE184BF772FE70EE44
Proc3BC141B0950632BBEDF0F3A329B42598
ProcCCE97B15762479275D3FB2967C597CCB
Proc21FB0093543B45F8828E79D9EEF3AA3A
Proc8CE02648478ABDF8A3F6F73CE84429FA
ProcF7531579429F4DBD3A2C1DEED15F6A9B
Proc304D6F6048468BB211A98ECADD5190CC
ProcD2CB7DED0F650EA239322E6F3A6CB5A2
Proc893685F10EC87472D047E00FE7DBEF94
Proc08B4418EC0C18825B12F3E72299F915C
Proc4C53A066D18791671CC9C01BFA0C6D8D
ProcA58F0A1DAF5C4DEA3A4923BA8F90EF34
ProcB6D7212BE816425F674E88BD06E78AE0
ProcEC2187A9C958F50D8B7F6B6FDE462618
ProcF67FD0F8724B847483F082B115F61994
ProcA07FAFB63F4649DD290A721E8EFE4162
Proc1C7E85CB433B74A1BE139D8B40E53768
Proc4560E9791A28974C03DBB766B0923E3F
ProcDEEC88626A3FA552218C1327D95542B1
ProcC523C229635B2E14B58D880FD561BD8B
Proc22DAB17B5E419C4DFC5198EFBCADBC18
ProcCEB972D13FE445A9D304AD753C757552
Proc18F3F98E2BDA11EE2E0551E6EB174A15
Proc2C023BE617799C2FF565CF6F1E97153E
ProcE51D15F65E380193CA385BAB0E65C599

api-ms-win-crt-convert-l1-1-0

wcstoul
_wtoi
_itow_s
wcstol
_ui64tow_s
_ultow_s

api-ms-win-crt-utility-l1-1-0

bsearch
qsort
ldiv

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
fclose
__stdio_common_vswprintf_s
__stdio_common_vswprintf
_wfopen_s

api-ms-win-crt-filesystem-l1-1-0

_wsplitpath_s

api-ms-win-crt-math-l1-1-0

log

msvcp140

?tolower@?$ctype@G@std@@QEBAGG@Z
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?is@?$ctype@G@std@@QEBA_NFG@Z

api-ms-win-core-com-l1-1-0

CreateStreamOnHGlobal
CoWaitForMultipleHandles
CoTaskMemFree
CLSIDFromString
CoInitializeEx
StringFromGUID2
CoTaskMemAlloc
CoCreateGuid
CoUninitialize
CoCreateInstance

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
CompareStringOrdinal

api-ms-win-core-synch-l1-2-0

Sleep
SleepConditionVariableCS
WakeAllConditionVariable
InitializeConditionVariable

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle
SetHandleInformation

api-ms-win-core-memory-l1-1-0

ReadProcessMemory
VirtualAllocEx
MapViewOfFile
OpenFileMappingW
VirtualFreeEx
WriteProcessMemory
UnmapViewOfFile
VirtualProtectEx
VirtualQueryEx

api-ms-win-core-processenvironment-l1-1-0

FreeEnvironmentStringsW
SearchPathW
GetEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
ExpandEnvironmentStringsW

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
QueueUserWorkItem

api-ms-win-core-kernel32-legacy-l1-1-0

GetSystemWow64DirectoryW
WaitForMultipleObjects
GetComputerNameW
FindResourceW
UnregisterWait
LoadLibraryW
RegisterWaitForSingleObject
GetNamedPipeClientProcessId

api-ms-win-core-psapi-obsolete-l1-1-0

K32GetModuleFileNameExW
K32EnumProcessModules

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegGetValueW

api-ms-win-core-processtopology-obsolete-l1-1-0

SetThreadAffinityMask
GetProcessAffinityMask

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindExtensionW
PathFindFileNameW
PathFileExistsW

api-ms-win-core-localization-l1-2-0

LCMapStringW
FormatMessageW
GetThreadLocale
GetOEMCP

api-ms-win-core-debug-l1-1-1

DebugActiveProcess
DebugActiveProcessStop
WaitForDebugEvent
ContinueDebugEvent

api-ms-win-core-psapi-l1-1-0

K32GetMappedFileNameW
QueryFullProcessImageNameW

api-ms-win-core-namedpipe-l1-1-0

CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
ConnectNamedPipe
GetNamedPipeClientComputerNameW
ImpersonateNamedPipeClient

api-ms-win-security-base-l1-1-0

SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
SetSecurityDescriptorSacl
AdjustTokenPrivileges
IsValidSecurityDescriptor
GetTokenInformation
GetSidIdentifierAuthority
DuplicateToken
AllocateAndInitializeSid
AddAccessAllowedAce
AccessCheck
GetSidSubAuthorityCount
FreeSid
InitializeSecurityDescriptor
MakeAbsoluteSD
GetSecurityDescriptorControl
GetAclInformation
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AddAce
InitializeAcl
IsValidSid
GetLengthSid
CopySid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
RevertToSelf
GetSecurityDescriptorSacl
EqualSid

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupPrivilegeValueW
LookupAccountSidW

api-ms-win-core-io-l1-1-0

GetOverlappedResult
CancelIoEx

api-ms-win-core-io-l1-1-1

CancelIo

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-registry-l2-1-0

RegConnectRegistryW

api-ms-win-core-string-l2-1-0

CharLowerBuffW

api-ms-win-core-toolhelp-l1-1-0

Thread32Next
Process32FirstW
Module32NextW
Thread32First
CreateToolhelp32Snapshot
Process32NextW
Module32FirstW

oleaut32

SysFreeString
SysAllocString
VarBstrCat
SysStringLen
SysAllocStringLen
VariantInit
VariantClear
SysAllocStringByteLen
VariantCopy
SysStringByteLen

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateString

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoInitialize
RoGetActivationFactory

cryptsp

CryptCreateHash
CryptHashData
CryptDestroyHash
CryptReleaseContext
CryptAcquireContextA
CryptGetHashParam

Exports

Exports

CreateIDebugObject
DllGetClassObject
DllGetComponentAvailable
GetDefaultEngineForAppxExe
GetVilValueFieldOffset
ImplDllCreateInstance
WrapICorDebugHandleValue

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 965KB - Virtual size: 965KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 115KB - Virtual size: 119KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.giats
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e750b0d4f88462c11ca748152022eff8

Code Sign

33:00:00:00:74:f0:1e:99:d0:2a:28:6a:ca:00:00:00:00:00:74Certificate

Extended Key Usages

33:00:00:00:0b:fc:f9:8e:58:4c:15:50:bf:00:00:00:00:00:0bCertificate

Key Usages

83:eb:8c:da:fd:e4:ab:90:98:aa:b7:d7:da:e1:fd:61:f9:69:91:6e:84:8c:32:5e:bb:98:72:7e:8c:37:1e:feSigner

Headers

DLL Characteristics

File Characteristics

Imports

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-core-libraryloader-l1-1-1

api-ms-win-core-heap-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-processthreads-l1-1-1

vsdebugeng

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

msvcp140

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-psapi-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processtopology-obsolete-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-toolhelp-l1-1-0

oleaut32

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

cryptsp

Exports

Exports

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 965KB - Virtual size: 965KB

.data Size: 115KB - Virtual size: 119KB

.pdata Size: 48KB - Virtual size: 47KB

.gfids Size: 512B - Virtual size: 64B

.giats Size: 512B - Virtual size: 8B

.tls Size: 512B - Virtual size: 9B

33:00:00:00:74:f0:1e:99:d0:2a:28:6a:ca:00:00:00:00:00:74
Certificate

33:00:00:00:0b:fc:f9:8e:58:4c:15:50:bf:00:00:00:00:00:0b
Certificate

83:eb:8c:da:fd:e4:ab:90:98:aa:b7:d7:da:e1:fd:61:f9:69:91:6e:84:8c:32:5e:bb:98:72:7e:8c:37:1e:fe
Signer

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 965KB - Virtual size: 965KB

.data
Size: 115KB - Virtual size: 119KB

.pdata
Size: 48KB - Virtual size: 47KB

.gfids
Size: 512B - Virtual size: 64B

.giats
Size: 512B - Virtual size: 8B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 36KB - Virtual size: 35KB